Author Archive

In the same way that most activities involving data are global, complying with the rules and regulations affecting those activities is a markedly global endeavour. Whether we are talking of multinational corporations with hundreds of thousands of employees or of a humble start up with a clever idea, an app or a website, the ambitions are the same: tapping into the opportunities of the global marketplace. A digital marketplace that is free from the physical constraints attached to distance, cultures and infrastructure. A marketplace that is huge and that has already turned college dorm ideas into some of the most successful and influential businesses on the planet. But, we must not forget that going global and using personal information collected from all over the world carries equally huge responsibilities which expand well beyond filing forms and sweet talking regulators.

One of the challenges faced by anyone operating globally is the fragmentation of legal regimes affecting the handling of personal information. Today, there is no leading privacy model that has arisen as the one to follow universally. Some regimes take an all encompassing approach throwing principles, obligations and rights to all possible activities involving personal information. In some cases – think Europe – this approach is not only comprehensive, but unashamedly strict. Other regimes go for a more down to earth, but still meaningful approach to regulating privacy, allowing users of data a greater degree of discretion in terms of the precise compliance steps to take. There are jurisdictions where the use of data within some sectors is firmly regulated whilst other sectors are entirely off the hook. This colourful variety of legal regimes and data privacy obligations contributes to make the challenge of managing privacy on a global scale even more challenging.

An obvious route to take is to look at things on a country by country basis and simply try to do whatever it takes to get it right within each jurisdiction, whatever the differences. The trouble here is that compliance often becomes a matter of running a prohibitively expensive exercise where the only advantage is not falling foul of each local law. The reality is that only a very limited number of organisations have the energy, resources and budget to do this. An insurmountable drawback of this approach is not just the cost of compliance, but the inability to operate globally in a truly consistent way. It is frustrating to see how valuable resources are devoted to tailoring practices to local demands, which contributes to an inefficient and unproductive way of addressing global privacy needs.

This is exasperated by the limitations on international data transfers and the finicky ways in which such transfers are meant to be legitimised. Take the standard contractual clauses approved by the European Commission for these purposes, for example. Although the clauses have the seal of approval of the Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. That is simply absurd. Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving data flows. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – hardly a solid ground on which to build a compliance programme.

Against this background, an unfortunate, but popular, choice is to do nothing. Lawyers and regulators will cringe at the thought of thousands – if not hundred of thousands – of situations where nothing is actually done to properly address the legal restrictions affecting international data flows. Some organisations manage to spend a little fortune legitimising transfers of data across jurisdictions – both within their own international structures and to third parties – but I have the suspicion that these are a minority in the whole scheme of things. Amongst that minority, only a select group will actually get their act together and implement a workable set of global privacy safeguards. The system seems to tolerate this and regulators appear content with their ability to scrutinise those who do something about it. But, this cannot be right. Global data privacy compliance is neither optional nor a pastime for those selected few with the guts and stamina to go public about their practices. It is an essential need that requires a combination of fresh thinking, a workable global framework, a team approach and the right tools.

This article was first published in Data Protection Law & Policy in December 2013 and is an extract from Eduardo Ustaran’s new book The Future of Privacy.

One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.

So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in ‘Internet time’! But the reality is that the drafts we have on the table today still follow relatively closely the Commission’s vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.

Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:

• Personal data – It is quite outrageous that we are still trying to figure out whether someone’s name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let’s therefore define personal data by reference to the impact that information about someone may have on that individual.

• Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word ‘explicit’ in it or not, everybody is going to interpret it in whichever way they want. Let’s focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.

• International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.

• One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission’s proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn’t it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let’s make it happen and also apply this concept to cases where the data controllership is outside Europe.

Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.

This article was first published in Data Protection Law & Policy in November 2013.

When the European Commission published its proposal for a new regulation aimed at rejuvenating the 1995 Data Protection Directive in 2012, there was one major feature that stuck out above everything else. Beyond the obvious objective of tackling the data privacy challenges of the 21st century, all of the novelties proposed by the Commission had one thing in common: the principles, rights and obligations were far more prescriptive in nature than under the Directive. This was perhaps a natural consequence of having to draft a directly applicable regulation, but it represented a fundamental change from the way European data protection had operated until now.

The bulk of the proposed regulation was meant to introduce a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus, of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also a new way of demanding practical compliance in the black letter of the law. If one is looking for legal certainty, there is nothing like a law which says do A, B and C, and do not do X, Y and Z. It almost makes lawyers redundant, which may well be a good thing! But aside from the risk of distorting the technological neutrality principle, it makes that law much more dissimilar from any other law in the world regulating the same thing.

The balance between principle-based regulation and laws with clear instructions is a fragile one. Go for high level principles with woolly words such as ‘fair’, ‘reasonable’, ‘relevant’ or ‘adequate’ and you are risking inconsistency of interpretation and a lack of understanding of what the law requires. Tilt the scale towards prescriptive instructions and what you gain in legal certainty you lose in much needed flexibility. Here is the thing: clear and prescriptive obligations are helpful in the sense that they do not leave room for ambiguity. But let us not forget that privacy protection is linked to the evolution of technology, an unpredictable world requiring flexibility and quick thinking. A prescriptive law will always be constraining, not because it is strict, but because it is rigid.

Now, shift this balancing exercise to a global stage and the risk of rigid laws becoming practically ineffective is exponentially multiplied. Instructions and checklists are immune to cultural and political differences, but those who need to follow those instructions and go through those checklists, are not. People and organisations are revealing and accessing the same information at a global scale. The protections and norms that affect that relationship must, therefore, be geared to cope with the situation in a way that specific legal instructions cannot be. Some data privacy and security principles may be imprecise, but they have proven to pass the test of time and distance. Prescriptive norms are bound to fail that test because they lack the elasticity needed to make global privacy protection workable. Relying on principles to safeguard something so important may not be the perfect solution, but we should be looking for effectiveness, not perfection.

This article was first published in Data Protection Law & Policy in October 2013 and is an extract from Eduardo Ustaran’s forthcoming book The Future of Privacy, which is due to be published in November 2013.

They said it couldn’t be done. A draconian initial text and 4,000 suggested amendments to digest made the task so difficult that many experts had already given up hope. However, today the European Parliament has silenced many sceptical voices by approving a draft Data Protection Regulation which aims to replace the aging 1995 EU data protection directive.

The job is by no means completed. Now the Council of the EU (which shares the EU legislative power with the Parliament) has to deliver its own draft and provide the Member States’ contribution to this crucial process.

In the meantime, here are what I see as key highlights of the text approved by Parliament:

* The EU Parliament has considerably softened its original uber-strict approach and that should be welcomed because it makes the law more realistically applicable in practice.

* However, the complexity of the Commission’s proposal is retained and even expanded in some cases. For example, the one stop shop concept is now less clear cut and therefore, less likely to work.

* The EU Parliament wants to introduce a standardised format for privacy notices using icons. This is a brave move. The approach suggested is slightly dogmatic but the idea is a good one.

* The provisions on profiling remain but in a more reasonable format. This will continue to be a key area of debate over the coming months.

* There is a new emphasis on bi-annual compliance reviews, which together with the appointment of compulsory data protection officers will make legal compliance significantly more onerous.

* Disappointingly, there still are very unrealistic limitations on international data transfers, which are particularly onerous when made to non-EU public authorities. As predicted, the NSA revelations have distorted this issue and it will take a lot of work to untangle this.

* Finally, the massive fines of up to EUR 100,000,000 or 5% of annual turnover seem to be designed to send a clear signal out there about how serious this stuff is.

In summary, I don’t think the Parliament’s draft is entirely workable as it stands, but with the adoption of this text we are closer to having a modern EU data protection framework than ever before.

According to the European Parliament, Safe Harbor should be suspended. As harsh as this may sound, this is not an off the cuff remark by a maverick Member of Parliament, but the outcome of a hearing on electronic surveillance of EU citizens involving some key figures of the EU data protection world that took place this week. The overall view was informed by the following opinions:

* Chris Connolly of Galexia, who in 2008 conducted a study of Safe Harbor further updated in 2010, argued that Safe Harbor was ineffective to protect personal data and that 98% of all Safe Harbor signatories fail to mention potential disclosures of data for national security purposes.

* Imke Summer, Chair of the German Conference of Federal and State Data Protection Commissioners, pointed out that the German authorities believed that there is a substantial likelihood that the Safe Harbor principles are being violated, and that Safe Harbor is simply unable to limit access by US intelligence services to personal data exported from the EU.

* Peter Hustinx, the European Data Protection Supervisor, provided a more legally accurate and balanced view, by rightly acknowledging the merits of Safe Harbor whilst highlighting that mass surveillance programs would probably exceed the scope of the exceptions to the Safe Harbor principles.

Is suspension the only option then? Of course not and it would be insane to brush away the efforts that have been made over the past decade to introduce EU data protection standards into the practices of thousands of US corporations. However, an update of the content of Safe Harbor is more than likely now. At the very least we can expect that the European Commission will make a considerable effort to persuade the US Administration to bring Safe Harbor back to the negotiation table.

The proposed EU Data Protection Regulation is an ambitious piece of legislation by any measure. Perhaps the most ambitious element of all is the introduction of the one-stop-shop principle: one single data protection authority being exclusively competent over an organisation collecting and using data throughout the EU. The reason why this is such a big deal is that even if the law ends up being exactly the same across all Member States (in itself a massive achievement), regulators are human and often show different interpretations of the same issues and rules. So if one-stop-shop becomes a reality, all EU data protection regulators will simply have to accept the position adopted by the one deemed to be competent and keep their own interpretation to themselves. But will they???

Today the Council of the EU is debating how to structure and shape this principle in a way that provides the benefits that the European Commission and global organisations are seeking, whilst meeting the national expectations of each Member State at the same time. It is a matter of legal and political effectiveness. So far and not surprisingly, the Council’s scale seems to be tilting towards greater national intervention than what the Commission originally aimed for. Whilst most Member States appear to be in favour of the philosophy underlying the one-stop-shop mechanism, only a few accept that one single authority should have exclusive jurisdiction to supervise all of the processing activities of a pan-European data user and decide exclusively upon all measures (including penalties). They cite the likely detriment to the protection of the data protection rights of individuals as their main stumbling block.

Therefore, there are a number of possible changes to this principle that will be discussed today, including:

* Limiting the powers of the ‘competent’ authority to authorisation and consultation functions only. So basically, leaving the paperwork for one regulator whilst any other EU authorities would continue to have enforcement powers.

* Replacing the one-stop-shop with a co-decision model (at least for the most important cases) where all relevant regulators need to agree.

* Adopting a consultation model where the competent authority is legally required to consult the other supervisory authorities concerned with a view to reaching consensus.

* Allowing appeals by unhappy authorities to the European Data Protection Board, which would then collectively be empowered to make the final decision.

How realistic these potential changes are is no doubt something that will come up in the discussions. What is clear is that any weakening of the one-stop-principle will affect the effectiveness of the core ‘one law/one regulator’ thinking of the Commission.

The secret of compliance is motivation. That motivation does not normally come from the pleasure and certainty derived from ticking all possible boxes on a compliance checklist. Although, having said that, I have come across sufficiently self-disciplined individuals who seem to make a virtue out of achieving the highest degree of data privacy compliance within their organisations. However, this is quite exceptional. In truth, it is very difficult for any organisation – big or small, in the private or public sector – to get its act together simply out of fear of non-compliance with the law. Putting effective policies and procedures in place is never the result of a sheer drive to avoid regulatory punishment. Successful legal compliance is, more often than not, the result of presenting dry and costly legal obligations as something else. In particular, something that provides tangible benefits.

The fact that personal information is a valuable asset is demonstrated daily. Publicly quoted corporate powerhouses whose business model is entirely dependent on people’s data evidence the present. Innovative and fast growing businesses in the tech, digital media, data analytics, life sciences and several other sectors show us the future. In all cases, the consistent message coming not just from boardrooms, but from users, customers and investors, is that data fuels success and opportunity. Needless to say, most of that data is linked to each of us as individuals and, therefore, its use has implications in one way or another for our privacy. So, when looked at from the point of view of an organisation which wishes to exploit that data, regulating data privacy equates regulating the exploitation of an asset.

The term ‘exploitation’ instinctively brings to mind negative connotations. When talking about personal information, whose protection – as is well known – is regarded as a fundamental human right in the EU, the term exploitation is especially problematic. The insinuation that something of such an elevated legal rank is being indiscriminately used to someone’s advantage makes everyone feel uncomfortable. But what about the other meaning of the word? Exploitation is also about making good use of something by harnessing its value. Many responsible and successful businesses, governments and non-profit organisations look at exploiting their assets as a route to sustainability and growth. Exploiting personal information does not need to be negative and, in fact, greater financial profits and popular support – and ultimately, success – will come from responsible, but effective ways of leveraging that asset.

For that reason, it is possible to argue that the most effective way of regulating the exploitation of data as an asset is to prove that responsible exploitation brings benefits that organisations can relate to. In other words, policy making in the privacy sphere should emphasise the business and social benefits – for the private and public sector respectively – of achieving the right level of legal compliance. The rest is likely to follow much more easily and all types of organisations – commercial or otherwise – will endeavour to make the right decisions about the data they collect, use and share. Right for their shareholders, but also for their customers, voters and citizens. The message for policy makers is simple: bring compliance with the law closer to the tangible benefits that motivate decision makers.

This article was first published in Data Protection Law & Policy in September 2013 and is an extract from Eduardo Ustaran’s forthcoming book The Future of Privacy, which is due to be published in November 2013.

This may sound as an overstatement but privacy impact assessments (PIAs) are likely to become the most vital item in the privacy professionals’ toolkit. One of the earliest guidance documents into the world of PIAs, the New Zealand Office of the Privacy Commissioner PIA Handbook, describes the concept as a systematic process that evaluates a proposal in terms of its impact upon privacy. That is a slightly abstract description but it captures some of the crucial elements that make this tool so useful. The reference to a PIA being a systematic process means that those who put it into practice should ideally follow an established approach that suits the culture and operations of the organisation. In other words, whatever a PIA is designed to deliver, it is essential that it is embedded in the workings of the organisation and is seen as sufficiently meaningful and constructive.

Being constructive is in fact more than an aspiration, but the essence of the whole idea. Fans of PIAs quickly point out that a PIA should be distinguished from a privacy compliance audit. The reason for this is that audits look at whether and how effectively compliance is being achieved. PIAs on the other hand, look at a proposed new system, operation or product and tell us how it will fare from a privacy perspective. The emphasis is on the future, which if anything, makes PIAs ideal for assessing the privacy implications of ever evolving technology. But in addition to being as dynamic as the technological developments and proposed activities assessed through them, PIAs are also meant to make a privacy-friendly contribution to such developments and activities.

PIAs are also constructive because they seek to allow the aims of the proposed activity to be met as far as possible. This feature makes this tool particularly useful for privacy professionals. There is no much point in trying to defend privacy protection as something that adds value if the outcome of a privacy assessment is to close doors to innovation and progress. Privacy professionals need to be seen as being on the side of the organisation – whilst remaining robust in their outlook – and PIAs are an effective tool for doing that. PIAs should still be rigorous even if they are simple to execute. PIAs should be meaningful as well as flexible. But above all, they should be sending a powerful message within the organisations where they take place: assessing the impact of an intended development on people’s privacy and coming up with sensible ways of preventing unjustifiable risks is for everyone’s benefit, from software developers to customers and from suppliers to the CEO.

The point about preventing risks should not be underestimated. This is something that all guidance available seems to emphasise. Even when looked at it from a European perspective, the justification for doing a PIA rests on minimising risks to privacy. The UK Information Commissioner’s new draft Code of Practice on PIAs makes various numerous references to the fact that PIAs are there to spot all types of privacy-related risks, including risks to individual privacy, compliance risks and related corporate or organisational risks. This gives us a very visible clue of the direction in which even EU regulators are looking, which is incredibly helpful to guide the strategic thinking of privacy professionals.

This is what makes PIAs particularly relevant in the context of global compliance. A compliance audit is more likely to focus on the legal obligations of a given regime, but when trying to address privacy needs at a global scale, a PIA will be a much more useful and practical tool. To the extent that a PIA needs to follow a methodology, this can be based on globally recognised principles rather than narrowly prescribed legal obligations. A PIA is more than a mechanism for compliance. It is a mechanism for making organisations think about privacy at the time when the ideas are flowing and the level of enthusiasm is high, and it does that through a risk-based globally applicable process. Welcome to privacy management for the 21st century!

This article was first published in Data Protection Law & Policy in August 2013

At present, there is a visible mismatch between the globalisation of data and the multinational approach to privacy regulation. Data is global by nature as, regulatory limits aside, it runs unconstrained through wired and wireless networks across countries and continents. Put in a more poetic way, a digital torrent of information flows freely in all possible directions every second of the day without regard for borders, geographical distance or indeed legal regimes and cultures. Data legislation on the other hand is typically attached to a particular jurisdiction – normally a country, sometimes a specific territory within a country and occasionally a selected group of countries. As a result, today, there is no such thing as a single global data protection law that follows the data as it makes its way around the world.

However, there is light at the end of the tunnel. Despite the current trend of new laws in different shapes and flavours emerging from all corners of the planet, there is still a tendency amongst legislators to rely on a principles-based approach, even if that translates into extremely prescriptive obligations in some cases – such as Spain’s applicable data security measures depending on the category of data or Germany’s rules to include certain language in contracts for data processing services. Whether it is lack of imagination or testimony to the sharp brains behind the original attempts to regulate privacy, it is possible to spot a common pedigree in most laws, which is even more visible in the case of any international attempts to frame privacy rules.

When analysed in practice and through the filter of distant geographical locations and moments in time, it is definitely possible to appreciate the similarities in the way privacy principles have been implemented by fairly diverse regulatory frameworks. Take ‘openness’ in the context of transparency, for example. The words may be slightly different and in the EU directive, it may not be expressly named as a principle, but it is consistently everywhere – from the 1980 OECD Guidelines to Safe Harbor and the APEC Privacy Framework. The same applies to the idea of data being collected for specified purposes, being accurate, complete and up to date, and people having access to their own data. Seeing the similarities or the differences between all of these international instruments is a matter of mindset. If one looks at the words, they are not exactly the same. If one looks at the intention, it does not take much effort to see how they all relate.

Being a lawyer, I am well aware of the importance of each and every word and its correct interpretation, so this is not an attempt to brush away the nuances of each regime. But in the context of something like data and the protection of all individuals throughout the world to whom the data relates, achieving some global consistency is vital. The most obvious approach to resolving the data globalisation conundrum would be to identify and put in place a set of global standards that apply on a worldwide basis. That is exactly what a number of privacy regulators backed by a few influential thinkers tried to do with the Madrid Resolution on International Standards on the Protection of Personal Data and Privacy of 2009. Unfortunately, the Madrid Resolution never became a truly influential framework. Perhaps it was a little too European. Perhaps the regulators ran out of steam to press on with the document. Perhaps the right policy makers and stakeholders were not involved. Whatever it was, the reality is that today there is no recognised set of global standards that can be referred to as the one to follow.

So until businesses, politicians and regulators manage to crack a truly viable set of global privacy standards, there is still an urgent need to address the privacy issues raised by data globalisation. As always, the answer is dialogue. Dialogue and a sense of common purpose. The USA and the EU in particular have some important work to do in the context of their trade discussions and review of Safe Harbor. First they must both acknowledge the differences and recognise that an area like privacy is full of historical connotations and fears. But most important of all, they must accept that principles-based frameworks can deliver a universal baseline of privacy protection. This means that efforts must be made by all involved to see what Safe Harbor and EU privacy law have in common – not what they lack. It is through those efforts that we will be able to create an environment of mutual recognition of approaches and ultimately, a global mechanism for protecting personal information.

This article was first published in Data Protection Law & Policy in July 2013.

We now know the Advocate General’s Opinion in the most eagerly followed data protection case in the history of the European Court of Justice (ECJ). After the prolific enforcement actions of the Spanish data protection authority to stop Google showing unwanted personal data in search results, their court battles were escalated all the way to the ECJ. Whilst the final decision is still a few months away, the influential Opinion of the Advocate General (AG) is a clear indication of where things are going.

The ultimate question is whether Google, in its capacity as a search engine provider, is legally required to honour individuals’ request to block personal data from appearing in search results. For that to be the case, the court will have to answer affirmatively a three-fold legal test:

1. Does EU law apply to Google? The AG’s Opinion is YES if the search engine provider has an establishment in a Member State for the purpose of promoting and selling advertising space on the search engine, as that establishment acts as the bridge between the search service and the revenue generated by advertising.

Unfortunately the AG does not deal with the question of whether Google Inc. uses equipment in Spain, so we don’t know whether an Internet company with no physical presence in the EU will be caught by EU law.

2. Does a search engine process personal data? The AG’s answer here is also YES, because notions of ‘personal data’ and ‘processing’ are sufficiently wide to cover the activities involved in retrieving information sought by users.

3. Is Google a controller of that data? Crucially, the AG’s answer is NO, because a search engine is not aware of the existence of a certain defined category of information amounting to personal data. Therefore, Google is not in a position to determine the uses made of that data.

So the conclusion, according to the AG, is that a data protection authority cannot compel Google to stop revealing personal data as part of search results.

In addition, the AG goes on to say that even if the ECJ were to find that internet search engine service providers were responsible as controllers for personal data appearing in search results, an individual would still not have a general ‘right to be forgotten’, as this is not contemplated in the current Directive.